What is embedding degree?

What is the embedding degree of an elliptic curve group and what does it mean? And why is this important to understand when you’re implementing pairing-based cryptographic algorithms?

Suppose that we have a pairing e: G1 x G2 → GT where p and q are primes, G1, G2 and GT all have order p, and GT is a subgroup of GF(qk)*. In most of the useful cases, G1 is a subgroup of E[p] for some elliptic curve E/GF(q), while G2 is either a subgroup of either E[p] or E’[p] for some other elliptic curve E’ (usually a twist of E).

Note that when q is a power of a prime the usual definition of embedding degree actually doesn’t quite have the properties that we’d like it to have. See this discussion, for example. Let’s just consider the case where q is a prime here so that we don’t have to worry about that. That includes all of the cases that are useful for implementing pairing-based cryptography, so that’s not a huge restriction.

Note that G1, G2, and GT are all isomorphic. To see why this is true, pick P0 ∈ G1 and Q0 ∈ G2, and we have that e(P,Q0) is an isomorphism from G1 to GT and e(P0,Q) is an isomorphism from G2 to GT.

This means that the points in G1 or G2 that are of order p get mapped to points in GT that are also of order p by the isomorphism. In particular, because pP = O for P ∈ G1 we have gp = 1 for g ∈ GT, or that the elements of GTare really the pth roots of 1 in GF(qk)*.

Now GF(qk)* is cyclic and of order qk – 1 and the order of the subgroup GT needs to divide qk – 1. Euler's theorem tells us that qp-1 ≡ 1 (mod p) or that p | qp-1 - 1, but there might be value of k < p – 1 for which we also have p | qk - 1. The smallest k for which this is true is called the embedding degree of the group G1.

People sometimes talk about the embedding degree of an elliptic curve, but to be careful, you really need to talk about the embedding degree of a subgroup of an elliptic curve group (or possibly of the order of the subgroup). In any case, it’s the degree of the extension of GF(q) which lets us have a subgroup of GF(qk)* that’s isomorphic to G1.

This table shows the embedding degrees that we get for a few small values where we have E/GF(q): y2 = x3 + ax + b and G1 is a subgroup of order p of E(GF(q)). Note that for q = 23 the embedding degree is different for the subgroups of order 3 and 5, even for the same elliptic curve, so that just talking about the embedding degree of an elliptic curve can cause confusion.

q

a

b

#E

p

k

11

2

7

7

7

3

13

6

9

17

17

4

17

8

3

11

11

10

19

3

17

16

2

1

23

7

13

30

3

2

23

7

13

30

5

4

29

21

26

26

13

3

31

20

12

17

17

16

31

3

1

29

29

28

Because it’s cyclic, we can write GF(qk)* = {α, α2, α3, … ,αqk-1}. Writing r = (qk – 1) / p and β = αr we can write the pth roots of 1 in GF(qk)* as β, β2, …, βp which makes it easier to see the correspondence between the points of GTand the points of G1 = {P, 2P, …, pP} .

When you’re implementing pairing-based cryptography, it’s useful to have elliptic curve groups that have a low embedding degree. For the Tate pairing, for example, the arithmetic used to calculate the value of the pairing is performed in GF(qk)*, so if k is too big, it can be impractical to do this calculation. In the example above with q = 31 and p = 29, the arithmetic would need to be done in GF(3128)*, where elements have 28 coordinates instead of just one, so that arithmetic would be much more expensive than it would be in GF(31).

But a low embedding degree also means that you need parameters that are bigger than those that you might expect for cryptographic algorithms that use elliptic curves. To get 128 bits of strength, for example, you can use an elliptic curve group whose order is a 256-bit prime. But if we have a pairing we can calculate discrete logs in G1 by calculating discrete logs in GT. To find the discrete log of nP in G1 we can calculate the discrete log of e(nP,P) = e(P,P)n in GT.

Suppose G1 is a subgroup of E(GF(q))[p], where p and q are primes that have 256 bits and G1 has embedding degree 2. This means that we can find n by calculating the discrete log of nP in G1, which takes about 128 bits of work, or we could find n by calculating the discrete log of e(P,P)nin GT, which takes much less work.

According to the guidelines in the Implementation Guidance to FIPS 140-2 (PDF), (Section 7.5, Strength of Key Establishment Methods) that actually takes about 64 bits of work, the amount of work needed to calculate discrete logs in GF(q2), where q2 has 256 bits x 2 = 512 bits.

But it’s easy to keep 128 bits of strength by using a group with a higher embedding degree. If we use a group whose order has 256 bits and has embedding degree 12 then calculating discrete logs in GTalso takes 128 bits of work (256 bits x 12 = 3,072 bits, the size of GF(n)* that’s required to have 128 bits of strength).

It turns out that most elliptic curve groups have fairly big embedding degrees. So if you pick a random elliptic curve, it’s very unlikely to be useful for pairing-based cryptography. More on that tomorrow. (If I can recover from the trauma of getting that table converted to HTML by then, that is.)